Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to selectively index and forward with filtering?

dottom
Path Finder
‎06-14-2011 10:49 PM

Is there a way to selectively index and forward by using filtering criteria such as hostname, sourcetype, or REGEX in transforms.conf? Currently, I can selectively index and forward on a per input stanza basis in inputs.conf, but I don't want to forward everything coming into an input.

If I were to only forward (and not index locally), I would use a REGEX in transforms.conf with a [stanza] in props.conf to filter what to forward. But it looks like using transforms.conf and props.conf is not supported for selective index and forwarding.

0 Karma
Reply

dottom
Path Finder
‎06-24-2011 10:18 AM

That solution doesn't work for this environment because I cannot configure the forwarders to send to different indexers. I have a single indexer that is the central hub for many different data inputs. What I want to do is selectively forward and index from a single indexer

Right now, with Splunk, an indexer can selective forward without indexing.

I am using "indexAndForward" and _INDEX_AND_FORWARD_ROUTING in each input stanza. So at the moment, my forwarding granularity is limited to a stanza in inputs.conf. What I want to do is be able to use props.conf and transforms.conf to selective decide:

  • What to index only, and not forward.
  • What to index and forward.
Reply

MuS
Legend
‎06-15-2011 12:15 AM

Hi dottom

well basicly an indexer can do the same filtering/routing of data like a forwarder. here is a post about how to configure forwarder to send different information to 2 different indexers

so your indexer can be setup to filter data to different indexes or forward any data to 3rd party systems.

regrads

Reply

dottom
Path Finder
‎06-14-2011 11:32 PM

My scenario is different in that I don't want to filter out events from being indexed. What I want to do is filter events to be forwarded, i.e. do not forward some events (only index it), forward specific sourcetype to remoteHostA, forward specific REGEX string to remoteHostB, etc.

The scenario:

  • A single inputs.conf stanza receives logs from 100 different systems.

  • I want to index all of them (using "indexAndForward" and _INDEX_AND_FORWARD_ROUTING in each input stanza).

  • But I want to selectively forward some logs to some other log consumer devices (using props.conf and transforms.conf, which does not work for "indexAndForward").

I don't want to just forward using LWF/HF/UF which is very flexible to customize using props.conf and transforms.conf. This is a "index and selectively forward" approach.

As a kludge, I've considered running both a forwarder and index instance (two Splunk instances) and have the forwarder forward locally what I want indexed, and forward remotely what I want sent off to other log collection devices. But I really don't want to run two Splunk instances just to have flexible filtering capability for a "index and forward" design.

0 Karma
Reply

MuS
Legend
‎06-14-2011 11:07 PM

Hi dottom

either take a look here:
http://splunk-base.splunk.com/answers/1888/how-do-i-configure-splunk-to-filter-out-events-i-dont-wan...

or read the docs here:
http://www.splunk.com/base/Documentation/4.2.1/Deploy/Routeandfilterdatad

both is working as designed, but be aware about this here:
http://splunk-base.splunk.com/answers/13139/wineventlogsecurity-filtering-does-not-work

I just run into this bug last week. but as said, beside this, all is working like in the docs written.

regards

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...